From 821687674ed315c8fbb259453855153ea3c23736 Mon Sep 17 00:00:00 2001 From: Will Scullin Date: Mon, 13 Jan 2025 14:12:28 -0800 Subject: [PATCH] Update PR tests to use pull_request_target (#2087) This grants external PRs access to secrets in order to be able to run database tests. For security purposes external PRs will not automatically run tests, tests must be triggered by someone with write permissions to the repo (the core Malloy team). This changes the names of the tests that are run, so older PRs will need to be updated to include these changes in order to pass the required test checks. --- .github/workflows/db-bigquery.yaml | 11 +++-------- .github/workflows/db-duckdb-wasm.yaml | 12 ++++-------- .github/workflows/db-duckdb.yaml | 12 ++++-------- .github/workflows/db-motherduck.yaml | 11 +++-------- .github/workflows/db-mysql.yaml | 12 ++++-------- .github/workflows/db-postgres.yaml | 12 ++++-------- .github/workflows/db-presto.yaml | 11 +++-------- .github/workflows/db-snowflake.yaml | 11 +++-------- .github/workflows/db-trino.yaml | 11 +++-------- .github/workflows/main.yaml | 11 +++-------- .github/workflows/run-tests.yaml | 24 ++++++++++++++++++++++-- CONTRIBUTING.md | 16 ++++++++++------ 12 files changed, 66 insertions(+), 88 deletions(-) diff --git a/.github/workflows/db-bigquery.yaml b/.github/workflows/db-bigquery.yaml index 17b854ef3..1d1034164 100644 --- a/.github/workflows/db-bigquery.yaml +++ b/.github/workflows/db-bigquery.yaml @@ -1,7 +1,6 @@ -name: "DB:BigQuery" +name: 'DB:BigQuery' on: - pull_request: workflow_call: secrets: BIGQUERY_KEY: @@ -11,18 +10,14 @@ jobs: test-bigquery: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: GCloud auth uses: 'google-github-actions/auth@v2' with: diff --git a/.github/workflows/db-duckdb-wasm.yaml b/.github/workflows/db-duckdb-wasm.yaml index 4acc430a9..9eaa66391 100644 --- a/.github/workflows/db-duckdb-wasm.yaml +++ b/.github/workflows/db-duckdb-wasm.yaml @@ -1,23 +1,19 @@ -name: "DB:DuckDB(WASM)" +name: 'DB:DuckDB(WASM)' -on: [pull_request, workflow_call] +on: workflow_call jobs: test-duckdb-wasm: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/db-duckdb.yaml b/.github/workflows/db-duckdb.yaml index 7b4f7a56d..9d47f27f1 100644 --- a/.github/workflows/db-duckdb.yaml +++ b/.github/workflows/db-duckdb.yaml @@ -1,23 +1,19 @@ -name: "DB:DuckDB" +name: 'DB:DuckDB' -on: [pull_request, workflow_call] +on: workflow_call jobs: test-duckdb: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/db-motherduck.yaml b/.github/workflows/db-motherduck.yaml index 916714114..ea255b55d 100644 --- a/.github/workflows/db-motherduck.yaml +++ b/.github/workflows/db-motherduck.yaml @@ -1,7 +1,6 @@ -name: "DB:MotherDuck" +name: 'DB:MotherDuck' on: - pull_request: workflow_call: secrets: MOTHERDUCK_TOKEN_10: @@ -11,18 +10,14 @@ jobs: test-motherduck: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/db-mysql.yaml b/.github/workflows/db-mysql.yaml index b23bc31ce..3fa734044 100644 --- a/.github/workflows/db-mysql.yaml +++ b/.github/workflows/db-mysql.yaml @@ -1,24 +1,20 @@ -name: "DB:MySQL" +name: 'DB:MySQL' -on: [pull_request, workflow_call] +on: workflow_call jobs: # Label of the container job test-mysql: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/db-postgres.yaml b/.github/workflows/db-postgres.yaml index b7b3db892..28b773ed0 100644 --- a/.github/workflows/db-postgres.yaml +++ b/.github/workflows/db-postgres.yaml @@ -1,16 +1,12 @@ -name: "DB:Postgres" +name: 'DB:Postgres' -on: [pull_request, workflow_call] +on: workflow_call jobs: # Label of the container job test-postgres: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - services: postgres: image: postgres @@ -29,10 +25,10 @@ jobs: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/db-presto.yaml b/.github/workflows/db-presto.yaml index 8baad930d..c59ee377d 100644 --- a/.github/workflows/db-presto.yaml +++ b/.github/workflows/db-presto.yaml @@ -1,7 +1,6 @@ -name: "DB:Presto" +name: 'DB:Presto' on: - pull_request: workflow_call: secrets: BQ_PRESTO_TRINO_KEY: @@ -12,18 +11,14 @@ jobs: test-presto: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/db-snowflake.yaml b/.github/workflows/db-snowflake.yaml index 0accc0f77..8c5773bff 100644 --- a/.github/workflows/db-snowflake.yaml +++ b/.github/workflows/db-snowflake.yaml @@ -1,7 +1,6 @@ -name: "DB:Snowflake" +name: 'DB:Snowflake' on: - pull_request: workflow_call: secrets: SNOWFLAKE_CONNECTION: @@ -11,18 +10,14 @@ jobs: test-snowflake: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/db-trino.yaml b/.github/workflows/db-trino.yaml index 3783bbca7..21e96efd0 100644 --- a/.github/workflows/db-trino.yaml +++ b/.github/workflows/db-trino.yaml @@ -1,7 +1,6 @@ -name: "DB:Trino" +name: 'DB:Trino' on: - pull_request: workflow_call: secrets: BQ_PRESTO_TRINO_KEY: @@ -12,18 +11,14 @@ jobs: test-trino: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - steps: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: npm install, build, and test run: | npm ci --loglevel error diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index b3a4d5aca..2730f3e99 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -5,20 +5,15 @@ name: Core on: - pull_request: workflow_call: secrets: BIGQUERY_KEY: required: true jobs: - test-all: + main: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [18.x] - services: postgres: image: postgres @@ -37,10 +32,10 @@ jobs: - uses: actions/checkout@v4 with: submodules: 'true' - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 18.x uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: 18.x - name: GCloud auth uses: 'google-github-actions/auth@v2' with: diff --git a/.github/workflows/run-tests.yaml b/.github/workflows/run-tests.yaml index 5965377b1..f90d8f3e4 100644 --- a/.github/workflows/run-tests.yaml +++ b/.github/workflows/run-tests.yaml @@ -1,33 +1,53 @@ name: Malloy Tests -on: [workflow_dispatch] +on: [workflow_dispatch, pull_request] jobs: + check-permission: + runs-on: ubuntu-latest + steps: + - name: Permission Check + uses: malloydata/check-ci-permissions@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + username: ${{ github.triggering_actor }} + error_message: | + User does not have write access to this repository. Refer to CONTRIBUTING.md instructions on how to contribute to Malloy. + + # *** IMPORTANT *** + # When modifying these, make sure that needs: check-permission + # is part of any job that requires secrets. main: + needs: check-permission uses: './.github/workflows/main.yaml' secrets: BIGQUERY_KEY: ${{ secrets.BIGQUERY_KEY }} db-trino: + needs: check-permission uses: './.github/workflows/db-trino.yaml' secrets: BQ_PRESTO_TRINO_KEY: ${{ secrets.BQ_PRESTO_TRINO_KEY }} db-presto: + needs: check-permission uses: './.github/workflows/db-presto.yaml' secrets: BQ_PRESTO_TRINO_KEY: ${{ secrets.BQ_PRESTO_TRINO_KEY }} db-duckdb: uses: './.github/workflows/db-duckdb.yaml' db-bigquery: + needs: check-permission uses: './.github/workflows/db-bigquery.yaml' secrets: BIGQUERY_KEY: ${{ secrets.BIGQUERY_KEY }} db-motherduck: + needs: check-permission uses: './.github/workflows/db-motherduck.yaml' secrets: MOTHERDUCK_TOKEN_10: ${{ secrets.MOTHERDUCK_TOKEN_10 }} db-postgres: uses: './.github/workflows/db-postgres.yaml' db-snowflake: + needs: check-permission uses: './.github/workflows/db-snowflake.yaml' secrets: SNOWFLAKE_CONNECTION: ${{ secrets.SNOWFLAKE_CONNECTION }} @@ -37,7 +57,7 @@ jobs: uses: './.github/workflows/db-duckdb-wasm.yaml' # I think I have the sorted roughly longest to shortest - # so the longer running jobs get wrokers sooner, not sure + # so the longer running jobs get workers sooner, not sure # that is the right plan malloy-tests: needs: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cf472c859..a79e9eb1a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,4 +1,5 @@ ## Project Committers + Our committers are the following GitHub accounts: lloydtabb @@ -11,13 +12,13 @@ whscullin ## Developer Certificate of Origin -All new inbound code contributions must also be accompanied by a Developer -Certificate of Origin (http://developercertificate.org) sign-off in the source -code system that is submitted through a TSC-approved contribution process which -will bind the authorized contributor and, if not self-employed, their employer +All new inbound code contributions must also be accompanied by a Developer +Certificate of Origin (http://developercertificate.org) sign-off in the source +code system that is submitted through a TSC-approved contribution process which +will bind the authorized contributor and, if not self-employed, their employer to the applicable license. -Contributors sign-off that they adhere to these requirements by adding a +Contributors sign-off that they adhere to these requirements by adding a Signed-off-by line to commit messages. Git has a -s command line option to append this automatically to your commit @@ -25,7 +26,7 @@ message, for example: ``` $ git commit -s -m 'This is my commit message' -``` +``` ## Code Reviews @@ -34,6 +35,9 @@ use GitHub pull requests for this purpose. Consult [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more information on using pull requests. +All pull requests must pass tests. Outside contributors should contact the Malloy +team via the`#developing` channel on the [Malloy Slack](https://malloydata.github.io/slack). + ## Code of Conduct This project follows